JP2006174320A - Authentication apparatus and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an online service needing an authentication to a communication terminal having no authentication information by utilizing the authentication information of another communication terminal. <P>SOLUTION: The authentication apparatus 100 is connected communicably to a communication terminal 10 requesting a service needing the authentification and a communication terminal 20 holding the authentication information through a network. When the request of a service to be provided by a service providing device 30 is received from the communication terminal 10, the authentication apparatus 100 generates session information with respect to the service, transmits the session information to the communication terminal 10, and authenticates the communication terminal 20 according to received authentication information when the communication terminal 10 receives the session information and the authentication information from the communication terminal 20 acquiring the received session information from the relevant communication terminal 10. When the authentication is made successful, it is permitted to provide the service to the communication terminal 10 on the basis of the session information received together with the authentication information. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an authentication apparatus and an authentication method for authenticating a user who uses a communication terminal and a communication terminal.

  2. Description of the Related Art Conventionally, as a technology for a communication device such as a server or gateway on a network to authenticate a user who uses a communication terminal or a communication terminal, there is a technology that uses a password, a secure token, or the like. In recent years, security awareness in communication devices has increased, instead of authentication using passwords, based on authentication information stored in hardware tokens including electronic tokens, secure tokens, IC cards, one-time password tokens, etc. There is an increasing demand from communication device managers to provide online services using authentication technology for authentication. Note that the authentication information is, for example, an electronic certificate, and is information for authenticating a user or the like.

  However, authentication technology using hardware tokens requires the distribution of hardware tokens to users, and the trouble of installing software for using tokens on the user's communication terminal, such as a personal computer. It was used only for a limited number of business purposes.

In addition, as a conventional authentication technique using a mobile phone, for example, a barcode request signal is received from a communication terminal of a person to be authenticated, a barcode is generated according to the received barcode request signal, and the generated barcode is Receives the barcode recorded on the communication terminal that is sent from the authentication requester's barcode reader that is sent to the authenticated person's communication terminal and reads it from the authentication requester, and verifies the received barcode. An authentication system is known that transmits an authentication signal to the authentication requester when it is determined that has succeeded (see, for example, Non-Patent Document 1). Based on the authentication signal transmitted by this conventional authentication device, the authentication requester can perform authentication for providing a service to the user of the communication terminal.
“Explanation Everyone can use the mobile phone Part 5-Use the camera (2) You can buy cola with QR code” Mekkei Mechanical, August 2003, page 56

  However, the above-described conventional authentication device can authenticate the identity of the user of the communication terminal that transmitted the barcode request signal to the authentication device, but authentication information stored in a hardware token or the like. Communication terminals such as personal computers that do not have authentication cannot be authenticated, and there is a problem that online services that require authentication cannot be provided.

  The present invention was made in order to solve the conventional problems. Even if a communication terminal does not have authentication information, if the other communication terminal has authentication information, an online service that requires authentication is provided to the user. An object of the present invention is to realize an authentication device and an authentication method that can be performed.

  The authentication apparatus according to claim 1 is an authentication apparatus that is communicably connected to a first communication terminal that requests a service that requires authentication and a second communication terminal that holds authentication information via a network. Then, when the request accepting unit accepts the service request from the first communication terminal and the request accepting unit accepts the service request, it generates session information about the service and sends it to the first communication terminal. Session information transmitting means for transmitting, and session information receiving means for receiving the session information and authentication information from the second communication terminal obtained from the first communication terminal for the session information received by the first communication terminal Authentication means for authenticating the second communication terminal based on the authentication information received by the session information receiving means, and the authentication means Service providing permission means for permitting provision of service to the first communication terminal based on the session information received by the session information receiving means when authentication of the second communication terminal is successful. It is characterized by.

  With this configuration, authentication of the second communication terminal is performed based on the received authentication information, and if the authentication is successful, authentication is performed in order to permit provision of a service to the first communication terminal based on the received session information. Even if a communication terminal has no information, if the other communication terminal has authentication information, an online service requiring authentication can be provided to the user.

  The authentication device according to claim 2 is characterized in that at least one of communication with the first communication terminal and communication with the second communication terminal is encrypted.

  With this configuration, highly confidential information can be transmitted and received.

  The authentication apparatus according to claim 3, in addition to the above, includes session information holding means for holding session information generated by the session information transmitting means, session information received by the session information receiving means, and session information holding means. Session information determination means for determining whether or not the held session information is consistent, the service provision permission means has succeeded in authentication of the second communication terminal by the authentication means, and When it is determined that the session information determination unit matches, provision of a service to the first communication terminal is permitted based on the session information.

  With this configuration, when authentication is successful and it is determined that the received session information is consistent with the held session information, the session generated by the authentication device is permitted to permit service provision to the first communication terminal. It is possible to prevent provision of a service to a third party who has falsified the information and impersonated the first communication terminal.

  The authentication apparatus according to claim 4, wherein the session information transmission unit generates session information including a different identifier for each request for the service and transmits the session information to the first communication terminal, and the session information determination unit includes: It is determined whether or not the identifier included in the session information received by the session information receiving unit matches the identifier included in the session information held by the session information holding unit.

  According to this configuration, since it is compared with session information including a different identifier for each request, it is possible to prevent provision of a service to a third party who has falsified the session information and impersonated the first communication terminal.

  The authentication apparatus according to claim 5, in addition to the above, includes an elapsed time calculation unit that calculates an elapsed time from the time of transmission based on time information indicating a time point when the session information transmission unit transmits session information. The elapsed time calculating means calculates the elapsed time based on the time information corresponding to the session information when it is determined that the session information determining means is matched, and the service providing permission means is configured to calculate the elapsed time. Is provided when the service is less than a predetermined time.

  With this configuration, when the elapsed time exceeds a certain time, the provision of the service to the first communication terminal is not permitted, and therefore the provision of the service to the third party using the inappropriate session information can be prevented.

  The authentication apparatus according to claim 6, in addition to the above, includes an elapsed time calculation unit that calculates an elapsed time from the transmission time based on time information indicating a time point when the session information transmission unit transmits the session information. The elapsed time calculating means calculates an elapsed time based on the time information included in the session information received by the session information receiving means, and the service providing permission means has the calculated elapsed time equal to or less than a predetermined time. In this case, the provision of the service is permitted.

  With this configuration, when the elapsed time exceeds a certain time, the provision of the service to the first communication terminal is not permitted, and therefore the provision of the service to the third party using the inappropriate session information can be prevented.

  The authentication apparatus according to claim 7, wherein the authentication information includes a terminal identifier of the second communication terminal, a user identifier of a user who uses the second communication terminal, or the terminal identifier and the user. It consists of a combination of identifiers.

  With this configuration, authentication can be performed using the terminal identifier of the communication terminal and the user identifier.

  An authentication apparatus according to an eighth aspect is characterized in that the authentication information includes an electronic certificate.

  With this configuration, since it is an electronic certificate, highly reliable authentication can be performed.

  The authentication apparatus according to claim 9, wherein the session information includes image information representing an identification code.

  With this configuration, it is possible to identify session information configured by a QR code or the like.

  The authentication apparatus according to claim 10, wherein the session information includes text information representing a character string.

  With this configuration, it is possible to identify session information composed of text information.

  The authentication apparatus according to an eleventh aspect is characterized in that the session information includes billing information representing billing.

  With this configuration, if the user of the second communication terminal is charged based on the charging information included in the session information, the user of the second communication terminal is charged instead of the user of the first communication terminal. Can be charged.

  The authentication apparatus according to claim 12, wherein the service provision permission unit includes a user identifier of a user who uses the first communication terminal and a user identifier of a user who uses the second communication terminal. It has policy information representing a corresponding condition, and the provision of the service is permitted based on the policy information.

  With this configuration, provision of a service to the first communication terminal according to the correspondence condition between the user identifier of the user who uses the first communication terminal and the user identifier of the user who uses the second communication terminal Can be allowed.

  The authentication apparatus according to claim 13, in addition to the above, is an authentication gateway apparatus for providing a service for temporarily connecting a first communication terminal to a network, and requesting a service from the first communication terminal And a session information transmission unit that generates session information including an ID of the authentication gateway device and transmits the session information to the first communication terminal when the request reception unit receives the request for the service. Session information receiving means for receiving an authentication result and session information from an authentication device, and service providing means for providing a network connection service for the first communication terminal based on the authentication result and session information received by the session information receiving means And providing the service provision permission When the authentication of the second communication terminal by the authentication unit is successful, the authentication unit certifies the authentication result and the session information based on the ID of the authentication gateway device included in the session information received by the session information receiving unit. It transmits to a gateway apparatus, It is characterized by the above-mentioned.

  With this configuration, the second communication terminal is authenticated based on the received authentication information. If the authentication is successful, the authentication result and the session information are authenticated based on the ID of the authentication gateway device included in the received session information. Since the first communication terminal is transmitted to the gateway device and the first communication terminal is connected to the network by the authentication gateway device during the session, even if the second communication terminal has the authentication information even if the first communication terminal does not have the authentication information. A service for temporarily connecting the first communication terminal to the network can be provided to the user.

  The authentication apparatus according to claim 14, in addition to the above, when the request receiving unit receives a request for registration of the second communication terminal from the first communication terminal, user information for registration is stored in the first information terminal. User information acquisition means for requesting and acquiring the communication terminal, wherein the request reception means receives a request for registration of the second communication terminal from the first communication terminal, and the session information transmission means includes: When the user information acquisition means acquires the user information, it generates session information related to registration of the second communication terminal and transmits it to the first communication terminal. The authentication means includes the user information acquisition means The acquired user information is stored together with the session information generated by the session information transmitting means, and the authentication information of the second communication terminal received by the session information receiving means is used as the session information. Characterized in that stored with the user information based on the session information received by the receiving unit.

  With this configuration, the second communication terminal is used to register the second communication terminal holding the authentication information applicable to the online service in the authentication device using the first communication terminal that does not have the authentication information. Authentication in the authentication device of the first communication terminal thus made becomes possible.

  The authentication method according to claim 15 connects the first communication terminal that makes a request for a service that requires authentication, the second communication terminal that holds authentication information, and the authentication apparatus so that they can communicate with each other. An authentication method in a system including at least a network, wherein the first communication terminal makes a request for the service, and the authentication device receives a service request from the first communication terminal, Session information related to the service is generated and transmitted to the first communication terminal, the first communication terminal receives session information transmitted by the authentication device, and the second communication terminal Session information received by one communication terminal is acquired from the first communication terminal, and the acquired session information and authentication information are transmitted to the authentication device. Session information and authentication information from the second communication terminal are received, and the second communication terminal is authenticated based on the received authentication information. If the authentication is successful, the second information is received based on the received session information. The provision of a service to one communication terminal is permitted.

  With this configuration, the second communication terminal is authenticated based on the received authentication information, and when the authentication is successful, the service is provided to the first communication terminal based on the received session information. Providing users with online services that require authentication by providing service-related information to the first communication terminal, even if the communication terminal does not have authentication information, but the other communication terminal has authentication information. Can do.

  The authentication method according to claim 16, wherein the session information includes charging information indicating charging for providing the service, and the authentication device includes the session information when authenticating based on the authentication information. Charging is performed based on the charging information.

  With this configuration, if the user of the second communication terminal is charged based on the charging information included in the session information, the user of the second communication terminal is charged instead of the user of the first communication terminal. Can be charged.

  ADVANTAGE OF THE INVENTION According to this invention, even if it is a communication terminal which does not have authentication information, if the other communication terminal has authentication information, the authentication apparatus and authentication method which can provide an online service which requires authentication to a user are implement | achieved it can.

  Hereinafter, an authentication device and an authentication method according to an embodiment of the present invention will be described with reference to the drawings.

(First embodiment of the present invention)
FIG. 1 shows a configuration diagram of the entire system including an authentication apparatus according to the first embodiment of the present invention. The authentication system shown in FIG. 1 includes an authentication device 100, a communication terminal 10, a communication terminal 20, and a service providing device 30.

  The authentication device 100 can communicate with the communication terminal 10 and the service providing device 30 via the network 9, and the authentication device 100 and the communication terminal 20 can communicate with each other via the network 8 and the network 9. In the embodiment of the present invention, the communication terminal 10 will be described as a personal computer, the network 9 as the Internet, the communication terminal 20 as a mobile phone, and the network 8 as a mobile phone network. However, the communication terminal 10, the communication terminal 20, the network 8, and the network 9 are not limited to those described above.

  In the first embodiment of the present invention, when a user wants to receive an online service that requires authentication using authentication information, such as an electronic commerce service, the communication terminal holds authentication information applicable to the online service. A configuration is described in which the communication terminal 10 that does not have authentication information such as an electronic certificate while using the authentication server 20 succeeds in the authentication performed by the authentication device 100.

  For example, the communication terminal 10 makes a request for a service provided by the service providing apparatus 30 to the authentication apparatus 100. When the authentication apparatus 100 accepts the request, the communication terminal 10 generates session information related to the service and generates the communication terminal 10. To be sent to. The service request may be a request using a predetermined protocol such as HTTP (HyperText Transfer Protocol), for example, and may be a request for establishing a session via a page for logging in to the service providing apparatus 30. . When the request is for establishing a session, the session information includes a session ID related to login.

  Further, in a session between the communication terminal 10 and the service providing device 30, a method using a session cookie or a method of embedding a session ID in a page is used, and the authentication device 100 processes session information according to these methods. . In order to improve security, it is desirable that the session itself is encrypted with HTTPS (Secure HyperText Transfer Protocol) or the like.

  The session information may be image information representing an identification code such as a QR (Quick Response) code. When the session information is a QR code, the authentication device 100 may transmit a QR code including a session ID, and further includes a QR including a URL (Uniform Resource Locator) representing the authentication device 100 in addition to the session ID. A code may be transmitted.

  When the session information is a QR code, the user displays an image representing the QR code received by the communication terminal 10 on the screen of the communication terminal 10 and displays an image representing the QR code from the camera provided in the communication terminal 20. Capture and acquire. Thereafter, the communication terminal 20 transmits session information and authentication information to the authentication device 100 by a user's operation.

  Here, the authentication device 100 receives the session information and the authentication information transmitted from the communication terminal 20, and authenticates the communication terminal 20 based on the received authentication information. For example, when the authentication is successful, the received session information Based on the above, the provision of service to the communication terminal 10 is permitted, and the fact that the provision of the service is permitted is transmitted to the communication terminal 20. A user who has confirmed this can receive online service by establishing a session with the service providing apparatus 30 via the communication terminal 10. Note that the user using the communication terminal 10 and the user using the communication terminal 20 may be the same or different from each other.

  When the session information received by the authentication apparatus 100 includes a session ID, it is determined whether or not the session ID is the same as the session ID included in the session information transmitted to the communication terminal 10. Cannot receive the online service via the communication terminal 10.

  In addition, it is assumed that at least one of communication with the communication terminal 10 and communication with the communication terminal 20 is encrypted according to HTTPS or the like. In addition, although it demonstrated that the image showing QR code was imaged and acquired from the camera with which the communication terminal 20 was equipped, between the communication terminal 10 and the communication terminal 20, Bluetooth (registered trademark), infrared communication ( The communication terminal 20 may acquire session information including a session ID and URL from the communication terminal 10 by performing communication connection in accordance with IrDA), wireless LAN, or the like.

  FIG. 2 shows a configuration diagram of the authentication apparatus according to the first embodiment of the present invention. The authentication device 100 shown in FIG. 2 includes a communication interface 110 that communicates with the network 9, a processor such as a CPU, and a storage device such as a hard disk, and includes a request receiving unit 101, a session information transmitting unit 102, A session information holding unit 103, a session information receiving unit 104, an authentication unit 105, a session information determination unit 106, a service provision permission unit 107, an elapsed time calculation unit 108, a communication interface 110, and a request processing unit 120 are included.

  The request accepting unit 101 is configured to accept a service request from the communication terminal 10 to the service providing apparatus 30 via the request processing unit 120.

  When the request receiving unit 101 receives a service request, the session information transmitting unit 102 generates session information related to the service and transmits it to the communication terminal 10 via the request processing unit 120.

  Note that the session information is not limited to image information representing an identification code such as a QR code, but may be text information representing a character string. In addition, the session information includes, for example, a request identifier indicating the number, time information indicating the time when the session information transmitting unit 102 transmits the session information to the communication terminal 10, a URL indicating the service providing apparatus 30, etc., a session identifier, and the like You may be made to do.

  If the session information includes a request identifier representing the number, the session information transmission unit 102 changes the request identifier for each request, generates session information including a different request identifier for each request, and transmits the session information to the communication terminal 10. It is supposed to be.

  The session information holding unit 103 includes a storage device or the like, and holds session information generated by the session information transmission unit 102. Further, the session information holding unit 103 may hold the session information generated by the session information transmitting unit 102 and the time information indicating the time point when the session information is transmitted in association with each other.

  The session information receiving unit 104 receives authentication information and session information from the communication terminal 20 via the request processing unit 120. The authentication information is information held by the communication terminal 20, the session information is information received by the communication terminal 10 from the authentication device 100, and further acquired by the communication terminal 20 from the communication terminal 10. Are transmitted by the communication terminal 20 together.

  The authentication unit 105 authenticates the communication terminal 20 based on the authentication information received by the session information receiving unit 104. For example, mutual authentication based on SSL (Secure Socket Layer) may be mutually performed using an electronic certificate which is one of authentication information. Further, the authentication information is not limited to an electronic certificate, and may be any one of a terminal identifier of the communication terminal 20, a user identifier of a user who uses the communication terminal 20, or a combination of a terminal identifier and a user identifier. Any information may be used as long as it can authenticate the user or the communication terminal 20, and the authentication unit 105 may perform authentication by exchanging such information.

  The session information determination unit 106 determines whether or not the session information received by the session information reception unit 104 matches the session information held by the session information holding unit 103. If the session information includes a request identifier representing the number, the session information determination unit 106 matches the request identifier included in the session information with the request identifier included in the session information held by the session information holding unit 103. Whether or not to do so is determined.

  When the authentication performed by the authentication unit 105 is successful, the service provision permission unit 107 sends an instruction to permit service provision to the communication terminal 10 to the service provision apparatus 30 based on the session information received by the session information reception unit 104. Accordingly, the service providing apparatus 30 provides an online service to the user. Further, the service provision permission unit 107 may permit the service provision to the communication terminal 10 when it is determined that the authentication performed by the authentication unit 105 is successful and the session information determination unit 106 is consistent.

  Furthermore, in addition to the above-described determination, the service provision permission unit 107 displays policy information indicating a correspondence condition between the user identifier of the user who uses the communication terminal 10 and the user identifier of the user who uses the communication terminal 20. And providing the service based on the policy information. For example, when the combination of the user identifier of the user who uses the communication terminal 10 and the user identifier of the user who uses the communication terminal 20 is not included in the combination represented by the policy information, the service provision permission unit 107 It is determined that service provision is not permitted.

  When the session information holding unit 103 holds the session information and the time information in association with each other, the elapsed time calculating unit 108 is based on the time information corresponding to the session information when the session information determining unit 106 determines that they match. The elapsed time is calculated. Further, when the time information is included in the session information, the elapsed time calculation unit 108 calculates the elapsed time based on the time information included in the session information.

  If the elapsed time calculated by the elapsed time calculation means 108 exceeds a certain time, the service provision permission means 107 is notified of this, and the service provision permission means 107 that has received the notice does not permit service provision. .

  The request processing unit 120 transmits the information output from the session information transmission unit 102 and the service provision permission unit 107 to the network 9 via the communication interface 110, and sorts the information received from the network 9 via the communication interface 110. The request is output to the request receiving means 101 or the session information receiving means 104.

  The request accepting unit 101, the session information transmitting unit 102, the session information receiving unit 104, the authenticating unit 105, the session information determining unit 106, the service provision permitting unit 107, the elapsed time calculating unit 108, and the request processing unit 120 include a CPU. It may be configured by a module of a program processed by a processor such as.

  An example of the operation of the authentication apparatus according to the first embodiment of the present invention configured as described above will be described with reference to the drawings. 3, 4 and 5 are flowcharts showing the operation of the authentication apparatus according to the first embodiment of the present invention.

  FIG. 3 is a flowchart showing an operation when the authentication apparatus 100 receives a request from the communication terminal 10 that does not hold the authentication information. First, it is confirmed whether a request for a service provided by the service providing apparatus 30 has been received from the communication terminal 10 (S1).

  When the request made by the communication terminal 10 is received, the presence / absence of session information corresponding to the request is confirmed (S2). When there is no session information, the session information transmission unit 102 generates session information based on information for identifying the communication terminal 10 such as information related to HTTPS for the request and cookie information, and holds the generated session information as session information. The information is held in the means 103 (S3) and transmitted to the communication terminal 10 (S4).

  Thereafter, for example, when the session information is a QR code, the user displays an image representing the QR code received by the communication terminal 10 on the screen of the communication terminal 10, and receives the QR code from the camera provided in the communication terminal 20. Capture and acquire an image to represent. Thereafter, the communication terminal 20 transmits at least one of the session information and the authentication information to the authentication device 100 by the operation of the user.

  If there is session information in S2, the service provision permission means 107 checks whether or not provision of a service corresponding to the session information is already permitted (S5). The service providing apparatus 30 is instructed to provide the service (S6). If not permitted, the process returns to S1.

  4 and 5 are flowcharts showing an operation when the authentication apparatus 100 receives information from the communication terminal 20 holding the authentication information. First, the session information receiving means 104 confirms whether or not information has been received from the monk terminal 20 (S11).

  When the information from the communication terminal 20 transmitted by the communication terminal 20 is received, the session information receiving unit 104 checks the presence or absence of authentication information from the received information (S12). If there is authentication information, the authentication unit 105 authenticates the communication terminal 20 based on the authentication information received by the session information receiving unit 104 (S13).

  The service provision permission unit 107 confirms whether or not the authentication based on the authentication information is successful (S14). If the authentication is successful, the service provision permission unit 107 confirms the presence or absence of session information from the received information (S15). If the authentication fails, the process returns to S11.

  If the authentication is successful and the received information includes session information, the process proceeds to S18. When there is no session information, the service provision permission unit 107 determines whether the session information determination unit 106 has already matched the session information corresponding to the authentication information and the session information held by the session information holding unit 103. Confirm (S16). If the matching has already been completed, the process proceeds to S20. If the matching has not been completed, the process returns to S11. In the embodiment of the present invention, the correspondence between the authentication information and the received session information is assumed to be made by the identifier of the communication terminal 20 included in each information.

  On the other hand, when there is no authentication information in S12, the session information receiving means 104 confirms the presence or absence of session information from the received information (S17). If there is no session information from the received information, the process returns to S11. If there is session information, the session information determination unit 106 matches the received session information with the session information held by the session information holding unit 103. It is determined whether or not (S18).

  If the received session information does not match, the process returns to S11. If matched, as shown in FIG. 5, the service provision permitting unit 107 has already succeeded in the authentication based on the received session information and the corresponding authentication information. It is confirmed whether it is (S19). If the authentication is successful, the process proceeds to S20. If the authentication is not successful, the process returns to S11.

  Further, when the session information holding unit 103 holds the session information and the time information in association with each other, the elapsed time calculating unit 108 time information corresponding to the session information when the session information determining unit 106 determines that they match. The elapsed time is calculated based on

  The service provision permission unit 107 checks whether or not the elapsed time calculated by the elapsed time calculation unit 108 exceeds a certain time (S20). If the predetermined time has been exceeded, the process returns to S11. If the predetermined time has elapsed, the service provision permission unit 107 determines whether the service provision satisfies the policy information based on the policy information ( S21).

  If the policy information condition is not satisfied, the process returns to S11. If the policy information condition is satisfied, the service provision permitting unit 107 permits the service provision to the communication terminal 10 and indicates that the service provision is permitted. It transmits to the communication terminal 20 (S22).

  The user who has confirmed that fact operates the communication terminal 10, and the communication terminal 10 can transmit the session information to the authentication apparatus 100, and S5 and S6 are processed to receive the provision of the online service.

  As described above, the authentication device and the authentication method according to the first embodiment of the present invention authenticate the communication terminal 20 based on the received authentication information. The communication terminal 10 is permitted to provide a service based on the information, and the service terminal 10 is provided with information on the service through the session. Therefore, even if the communication terminal 20 does not have authentication information, the authentication is performed if the communication terminal 20 has the authentication information. Users can be provided with the online services they need.

(Second embodiment of the present invention)
FIG. 6 shows a configuration diagram of the entire system including the authentication apparatus according to the second embodiment of the present invention. The authentication system illustrated in FIG. 6 includes an authentication device 200, a communication terminal 10, a communication terminal 20, and a service providing device 30.

  Of the components constituting the system according to the second embodiment of the present invention, the same components as those constituting the system according to the first embodiment of the present invention are denoted by the same reference numerals. Each description is omitted. The authentication device 200 can communicate with the communication terminal 10 and the service providing device 30 via the network 9, and the authentication device 200 and the communication terminal 20 can communicate with each other via the network 8 and the network 9.

  In the second embodiment of the present invention, for example, when it is desired to receive services such as electronic commerce, authentication information such as an electronic certificate is used while using the communication terminal 20 that holds authentication information applicable to the online service. A mode is described in which a communication terminal 10 that does not have a successful authentication performed by the authentication device 200 and charges the user of the communication terminal 20 instead of the user of the communication terminal 10.

  For example, a user who uses the communication terminal 10 intends to purchase a predetermined product or to provide a predetermined service via the service providing apparatus 30 that performs services such as electronic commerce. For example, the communication terminal 10 makes a request for a service provided by the service providing apparatus 30 to the authentication apparatus 200.

  When the authentication apparatus 200 accepts this request, it generates session information including billing information indicating billing for the service and transmits it to the communication terminal 10. The billing information includes information indicating a service to be used from among various services.

  When the session information is a QR code, the user displays an image representing the QR code received by the communication terminal 10 on the screen of the communication terminal 10 and displays an image representing the QR code from the camera provided in the communication terminal 20. Capture and acquire. Thereafter, the communication terminal 20 transmits session information and authentication information to the authentication apparatus 200 by a user operation.

  Here, the authentication device 200 receives the session information and the authentication information transmitted from the communication terminal 20 and authenticates the communication terminal 20 based on the received authentication information. For example, the authentication succeeds, and the received session information is converted into the received session information. When the provision of service to the communication terminal 10 is permitted based on this, the charging information included in the session information is stored in the own charging database or another charging database connected to the network 9. The authentication apparatus 200 may store charging information including information indicating the communication terminal 20 in the charging database in order to charge the user of the communication terminal 20.

  Thereafter, the authentication device 200 transmits a notification that the provision of the service is permitted to the communication terminal 20. A user who has confirmed this can receive online service by establishing a session with the service providing apparatus 30 via the communication terminal 10. Note that the user using the communication terminal 10 and the user using the communication terminal 20 may be the same or different from each other.

  FIG. 7 shows a configuration diagram of an authentication apparatus according to the second embodiment of the present invention. The authentication device 200 shown in FIG. 7 includes a communication interface 110 that communicates with the network 9, a processor such as a CPU, and a storage device such as a hard disk, and includes a request receiving unit 101, a session information transmitting unit 202, A session information holding unit 103, a session information receiving unit 104, an authentication unit 105, a session information determination unit 106, a service provision permission unit 207, an elapsed time calculation unit 108, and a request processing unit 120;

  Among the components constituting the authentication apparatus according to the second embodiment of the present invention, the same reference numerals are given to the same components as those constituting the authentication apparatus according to the first embodiment of the present invention. A description thereof will be omitted.

  In addition to the description of session information transmission unit 102 in the first exemplary embodiment of the present invention, session information transmission unit 202 generates session information including billing information and transmits it to communication terminal 10. Further, in addition to the description of the service provision permission unit 107 in the first embodiment of the present invention, the service provision permission unit 207 includes the accounting information included in the session information when the service provision is permitted based on the session information. Is stored in its own charging database or another charging database connected to the network 9.

  An example of the operation of the authentication apparatus according to the second embodiment of the present invention configured as described above will be described with reference to the drawings.

  As illustrated in FIG. 3, in S4, the session information transmission unit 202 transmits session information including charging information to the communication terminal 10. In S5, the service provision permission unit 207 confirms whether or not the provision of the service corresponding to the session information is already permitted. If the service is permitted, the service provision permission unit 207 provides the service provision to the communication terminal 10 in S6. The providing device 30 is instructed and the charging information included in the session information is stored in its own charging database or another charging database connected to the network 9.

  As described above, the authentication apparatus and the authentication method according to the second embodiment of the present invention charge a service charge to the user (contractor) of the communication terminal 20 based on the charge information included in the session information. If the user is charged, a business model can be constructed in which the user of the communication terminal 20 is charged instead of the user of the communication terminal 10.

  In the first and second embodiments, the authentication device 100 (200) and the service providing device 20 can communicate with each other via the network 9, but they are integrated and connected to the network 9. Also good.

(Third embodiment of the present invention)
FIG. 8 shows a configuration diagram of the entire system including the authentication apparatus according to the third embodiment of the present invention. The authentication system shown in FIG. 8 includes an authentication device 300, a communication terminal 10, a communication terminal 20, and an authentication gateway device 40.

  Of the components constituting the system according to the third embodiment of the present invention, the same components as those constituting the system according to the first embodiment of the present invention are denoted by the same reference numerals. Each description is omitted. The authentication device 300 and the authentication gateway device 40 can communicate via the network 9, and the authentication device 300 and the communication terminal 20 can communicate via the network 8 and the network 9.

  In the third embodiment of the present invention, for example, when it is desired to receive a service (hotspot service) that temporarily connects to a network such as the Internet, the communication terminal 20 that holds authentication information applicable to the online service is provided. A mode is described in which the communication terminal 10 having no authentication information such as an electronic certificate succeeds in authentication performed by the authentication device 300 while being used.

  The authentication gateway device 40 is for providing the above-described hot spot service, and issues session information including the ID of the authentication gateway device 40 when receiving a connection request from the communication terminal 10. And a network connection service for the communication terminal 10 is provided based on the authentication result and the session information from the authentication device 300.

  For example, when a user using the communication terminal 10 wants to provide the hot spot service described above, the communication terminal 10 makes a request for the hot spot service to the authentication gateway device 40.

  When receiving this request, the authentication gateway device 40 generates session information including the ID of the authentication gateway device and transmits it to the communication terminal 10.

  When the session information is a QR code, the user displays an image representing the QR code received by the communication terminal 10 on the screen of the communication terminal 10 and displays an image representing the QR code from the camera provided in the communication terminal 20. Capture and acquire. Thereafter, the communication terminal 20 transmits session information and authentication information to the authentication device 300 by the operation of the user.

  Here, the authentication device 300 receives the session information and the authentication information transmitted from the communication terminal 20, and authenticates the communication terminal 20 based on the received authentication information. For example, when the authentication is successful, the received session information Based on the ID of the authentication gateway device 40 included in the authentication gateway device 40, a mutually-authenticated encrypted communication channel is generated (the authentication device 300 and the authentication gateway device 40 share key information in advance). The authentication result and the session information are transmitted to the authentication gateway device 40.

  Thereafter, the authentication gateway device 40 provides a network connection service for the first communication terminal based on the authentication result and the session information received from the authentication device 300. The user can connect to the network 9 through the authentication gateway device 40 by the communication terminal 10.

  FIG. 9 shows a configuration diagram of an authentication apparatus according to the third embodiment of the present invention. The authentication device 300 shown in FIG. 9 includes a communication interface 110 that communicates with the network 9, a processor such as a CPU, a storage device such as a hard disk, and the like, and includes a request reception unit 101, a session information transmission unit 102, A session information holding unit 103, a session information receiving unit 104, an authentication unit 105, a session information determination unit 106, a service provision permission unit 307, an elapsed time calculation unit 108, and a request processing unit 120;

  Of the components constituting the authentication device according to the third embodiment of the present invention, the same components as those constituting the authentication device according to the first embodiment of the present invention are denoted by the same reference numerals. A description thereof will be omitted.

  In addition to the description of the service provision permission unit 107 in the first embodiment of the present invention, the service provision permission unit 307 authenticates the authentication result based on the ID of the authentication gateway device 40 included in the session information when the authentication is successful. And the session information is transmitted to the authentication gateway device 40.

  The block diagram of the authentication gateway apparatus which concerns on the 3rd Embodiment of this invention is shown in FIG. The authentication gateway device 40 shown in FIG. 10 includes a communication interface 41 that communicates with the network 9, a processor such as a CPU, a storage device such as a hard disk, and the like, and includes a request receiving unit 42 and a session information transmitting unit 43. Session information receiving means 44, service providing means 45, and request processing means 46.

  The request receiving unit 42 receives a service request from the communication terminal 10 via the request processing unit 46. The session information transmitting unit 43 generates session information including the ID of the authentication gateway device 40 and transmits it to the communication terminal 10 via the request processing unit 46 when the request receiving unit 42 receives a service request. It has become. The session information receiving unit 44 receives the authentication result and session information from the authentication device 300 via the request processing unit 46.

  The service providing unit 45 provides a network connection service for the communication terminal 10 based on the authentication result and the session information received by the session information receiving unit 44.

  As described above, the authentication apparatus and the authentication method according to the third embodiment of the present invention authenticate the communication terminal 20 based on the received authentication information. The authentication result and session information are transmitted to the authentication gateway device 40 based on the ID of the included authentication gateway device 40, and the communication terminal 10 is connected to the network by the authentication gateway device 40 during the session. If the communication terminal 20 also has the authentication information in the terminal 10, a service for temporarily connecting the communication terminal 10 to the network can be provided to the user.

(Fourth embodiment of the present invention)
FIG. 11 shows a configuration diagram of the entire system including the authentication apparatus according to the fourth embodiment of the present invention. The authentication system illustrated in FIG. 11 includes an authentication device 500, a communication terminal 10, and a communication terminal 20.

  Of the components constituting the system according to the fourth embodiment of the present invention, the same components as those constituting the system according to the first embodiment of the present invention are denoted by the same reference numerals. Each description is omitted. The authentication device 500 and the communication terminal 10 can communicate via the network 9, and the authentication device 500 and the communication terminal 20 can communicate via the network 8 and the network 9.

  Note that in the fourth embodiment of the present invention, in order to enable authentication in the authentication device 500 using the communication terminal 20 that holds authentication information applicable to the online service, the communication terminal 20 (authentication information thereof) Is registered in the authentication apparatus 500.

  For example, when a user using the communication terminal 10 tries to register the communication terminal 20 that holds the authentication information in the authentication device 500, the communication terminal 10 makes a request for terminal registration to the authentication device 500.

  Upon receiving this request, the authentication device 500 requests user information for terminal registration from the communication terminal 10, for example, transmits an input screen for the user information to the communication terminal 10.

  The user inputs user information such as a user ID and personal attribute information on the screen received and displayed by the communication terminal 10 and transmits it to the authentication apparatus 500.

  When the authentication apparatus 500 acquires user information from the communication terminal 10, the authentication apparatus 500 generates session information related to the terminal registration and transmits the session information to the communication terminal 10, and stores the session information together with the user information. The session information includes a session ID for registration, the URL of the authentication device for registration, and the like.

  When the session information is a QR code, the user displays an image representing the QR code received by the communication terminal 10 on the screen of the communication terminal 10 and displays an image representing the QR code from the camera provided in the communication terminal 20. Capture and acquire. Thereafter, the communication terminal 20 accesses the authentication device 500 based on the session information by the user's operation.

  Here, the authentication device 500 receives the authentication information from the communication terminal 20 (by the SSL negotiation process, the request for the terminal ID, etc.), and the authentication information together with the user information based on the session ID included in the session information. save.

  Thereafter, the authentication device 500 transmits to the communication terminal 20 that the registration of the communication terminal 20 has been completed. When the user who has confirmed that request requests registration confirmation from the communication terminal 10 to the authentication apparatus 500 based on the session information, the authentication apparatus 500 returns registration completion.

  FIG. 12 shows a configuration diagram of an authentication apparatus according to the fourth embodiment of the present invention. 12 includes a communication interface 110 that communicates with the network 9, a processor such as a CPU, and a storage device such as a hard disk, and includes a request receiving unit 501, a user information acquiring unit 510, A session information transmission unit 502, a session information holding unit 103, a session information reception unit 104, an authentication unit 505, a session information determination unit 106, a service provision permission unit 107, an elapsed time calculation unit 108, and a request processing unit 120;

  Among the components constituting the authentication apparatus according to the fourth embodiment of the present invention, the same reference numerals are given to the same components as those constituting the authentication apparatus according to the first embodiment of the present invention. A description thereof will be omitted.

  The request receiving unit 501 receives a request for registration of the communication terminal 20 from the communication terminal 10 in addition to the description of the session information transmitting unit 102 in the first embodiment of the present invention. Further, when the request receiving unit 501 receives a request for registration of the communication terminal 20 from the communication terminal 10, the user information acquiring unit 510 requests and acquires user information for registration from the communication terminal 10. In addition to the description of the session information transmission unit 102 in the first embodiment of the present invention, the session information transmission unit 502 relates to registration of the communication terminal 20 when the user information acquisition unit 510 acquires user information. Session information is generated and transmitted to the communication terminal 10.

  In addition to the description of the authentication unit 105 in the first embodiment of the present invention, the authentication unit 505 stores the user information acquired by the user information acquisition unit 510 together with the session information generated by the session information transmission unit 502. Further, the authentication information of the communication terminal 20 received by the session information receiving unit 104 is stored together with the user information based on the session information received by the session information receiving unit 104.

  As described above, the authentication device and the authentication method according to the fourth embodiment of the present invention use the communication terminal 10 that does not have the authentication information, and the communication terminal 20 that holds the authentication information applicable to the online service. Is registered in the authentication device 500, the authentication of the communication terminal 10 using the communication terminal 20 in the authentication device 500 becomes possible.

  As described above, the authentication apparatus and the authentication method according to the present invention provide a user with an online service that requires authentication if the other communication terminal has authentication information even if the communication terminal does not have authentication information. It is useful as an authentication server that authenticates a user who uses a communication terminal, a communication terminal, an authentication server, and the like.

1 is a configuration diagram of an entire system including an authentication device according to a first embodiment of the present invention. Configuration diagram of an authentication apparatus according to the first embodiment of the present invention A flowchart showing the operation when the authentication device accepts a request from a communication terminal that does not hold authentication information The flowchart which shows operation | movement when an authentication apparatus receives information from the communication terminal holding authentication information The flowchart which shows operation | movement when an authentication apparatus receives information from the communication terminal holding authentication information Configuration diagram of the entire system including the authentication device according to the second embodiment of the present invention The block diagram of the authentication apparatus which concerns on the 2nd Embodiment of this invention The block diagram of the whole system containing the authentication apparatus which concerns on the 3rd Embodiment of this invention The block diagram of the authentication apparatus which concerns on the 3rd Embodiment of this invention The block diagram of the authentication gateway apparatus which concerns on the 3rd Embodiment of this invention Configuration diagram of the entire system including the authentication device according to the fourth embodiment of the present invention The block diagram of the authentication apparatus which concerns on the 4th Embodiment of this invention

Explanation of symbols

  8, 9: Network, 10, 20: Communication terminal, 30: Service providing device, 40: Authentication gateway device, 100, 200, 300, 500: Authentication device, 41, 110: Communication interface, 42, 101, 501: Request Accepting means, 43, 102, 202, 502: Session information transmitting means, 44, 104: Session information receiving means, 45: Service providing means, 46, 120: Request processing means, 103: Session information holding means, 105, 505: Authentication means 106: Session information determination means 107, 207, 307: Service provision permission means 108: Elapsed time calculation means 510: User information acquisition means

Claims (16)

An authentication device that is communicably connected via a network to a first communication terminal that makes a request for a service that requires authentication and a second communication terminal that holds authentication information,
Request accepting means for accepting a service request from the first communication terminal;
Session information transmission means for generating session information related to the service and transmitting it to the first communication terminal when the request reception means receives the request for the service;
Session information receiving means for receiving the session information and authentication information from the second communication terminal obtained from the first communication terminal, the session information received by the first communication terminal;
Authentication means for authenticating the second communication terminal based on the authentication information received by the session information receiving means;
Service provision permitting means for permitting provision of service to the first communication terminal based on the session information received by the session information receiving means when the authentication means succeeds in authenticating the second communication terminal. An authentication device characterized by comprising.   The authentication apparatus according to claim 1, wherein at least one of communication with the first communication terminal and communication with the second communication terminal is encrypted. In addition to the above
Session information holding means for holding session information generated by the session information transmitting means;
Session information determining means for determining whether or not the session information received by the session information receiving means and the session information held by the session information holding means match,
The service providing permission means, when it is determined that the authentication of the second communication terminal by the authentication means is successful and the session information determination means is consistent, the service provision permission means for the first communication terminal based on the session information The authentication apparatus according to claim 1 or 2, wherein service provision is permitted.   The session information transmission unit generates session information including a different identifier for each request for the service and transmits the session information to the first communication terminal. The session information determination unit includes the session information received by the session information reception unit. 4. The authentication apparatus according to claim 3, wherein it is determined whether or not an identifier included in the session information and an identifier included in the session information held by the session information holding unit match. In addition to the above
Elapsed time calculation means for calculating an elapsed time from the time of transmission based on time information indicating the time of transmission of session information by the session information transmission means,
The elapsed time calculating means calculates an elapsed time based on the time information corresponding to the session information when it is determined that the session information determining means is matched, and the service providing permission means is configured to calculate the elapsed time. The authentication apparatus according to claim 3 or 4, wherein provision of the service is permitted when the time is equal to or shorter than a predetermined time. In addition to the above
Elapsed time calculation means for calculating an elapsed time from the time of transmission based on time information indicating the time of transmission of session information by the session information transmission means,
The elapsed time calculating means calculates an elapsed time based on the time information included in the session information received by the session information receiving means, and the service provision permitting means is configured such that the calculated elapsed time is less than a certain time. 5. The authentication apparatus according to claim 3 or 4, wherein provision of the service is permitted at a certain time.   The authentication information includes a terminal identifier of the second communication terminal, a user identifier of a user who uses the second communication terminal, or a combination of the terminal identifier and the user identifier. The authentication device according to claim 1.   The authentication apparatus according to claim 1, wherein the authentication information includes an electronic certificate.   The authentication apparatus according to claim 1, wherein the session information includes image information representing an identification code.   The authentication apparatus according to claim 1, wherein the session information includes text information representing a character string.   The authentication apparatus according to claim 1, wherein the session information includes charging information indicating charging.   The service provision permission unit has policy information indicating a correspondence condition between a user identifier of a user who uses the first communication terminal and a user identifier of a user who uses the second communication terminal, 12. The authentication apparatus according to claim 1, wherein provision of the service is permitted based on the policy information. In addition to the above
An authentication gateway apparatus for providing a service for temporarily connecting a first communication terminal to a network, wherein the request reception means receives a service request from the first communication terminal, and the request reception means includes the service Session information transmission means for generating session information including the ID of the authentication gateway device and transmitting the session information to the first communication terminal when receiving the request, and session information for receiving the authentication result and session information from the authentication device An authentication gateway device having at least receiving means and service providing means for providing a network connection service to the first communication terminal based on the authentication result and session information received by the session information receiving means;
When the authentication of the second communication terminal by the authentication unit is successful, the service providing permission unit is configured to perform an authentication result and a session based on an authentication gateway device ID included in the session information received by the session information reception unit. The information is transmitted to the authentication gateway device. The authentication device according to any one of claims 1 to 12. In addition to the above
User information acquisition means for requesting and acquiring user information for registration from the first communication terminal when the request reception means receives a request for registration of the second communication terminal from the first communication terminal; Prepared,
The request receiving means receives a request for registration of the second communication terminal from the first communication terminal,
When the user information acquisition unit acquires the user information, the session information transmission unit generates session information related to registration of the second communication terminal and transmits the session information to the first communication terminal.
The authentication unit stores the user information acquired by the user information acquisition unit together with the session information generated by the session information transmission unit, and the authentication information of the second communication terminal received by the session information reception unit is stored in the session. The authentication apparatus according to any one of claims 1 to 13, wherein the authentication information is stored together with the user information based on the session information received by the information receiving means. An authentication method in a system including at least a first communication terminal that makes a request for a service that requires authentication, a second communication terminal that holds authentication information, an authentication device, and a network that connects these devices in a communicable manner Because
The first communication terminal makes a request for the service,
When the authentication device receives a service request from the first communication terminal, the authentication device generates session information related to the service and transmits the session information to the first communication terminal.
The first communication terminal receives session information transmitted by the authentication device;
The second communication terminal acquires the session information received by the first communication terminal from the first communication terminal, transmits the acquired session information and authentication information to the authentication device,
The authentication apparatus receives session information and authentication information from the second communication terminal, performs authentication of the second communication terminal based on the received authentication information, and receives the authentication if successful. An authentication method characterized by permitting provision of a service to the first communication terminal based on session information.   The session information includes charging information representing charging for providing the service, and the authentication device includes the session information when authenticating the second communication terminal based on the authentication information. The authentication method according to claim 15, wherein charging is performed based on the charging information.

Images